Security Description of the Servers and Server Centers Used by Apprix Oy
Overview
The servers used by Apprix Oy are located in Finland, in the server center of Hetzner Online GmbH “Hetzner Data Center Park Helsinki”.
Hetzner is one of Europe’s leading service hosting provider.
Servers
The server center is certified according to the ISO / IEC 27001 standard
Physical protection:
- High security server environment
- eg. video surveillance, electronic access control, cooling, backup power supply.
Data network security:
- Multilevel secured connections
Server security:
- Prevent denial of service (DDoS) attacks
- Firewall
- Only carefully selected ports open
- IP restrictions enabled
- Identifying vulnerabilities
- Intrusion prevention
- Anti-virus
- Prevention of database intrusion (including SQL injection)
Software updates:
- Automatic updates
- Servers certified: “Common Criteria EAL2”
- Defined process and roles for regular server updates
Server management:
- Centralized server management
- Access to the server administration only via VPN connection
- Secure SSH/TSL connections to servers used by designated Apprix administrators
- Regular heartbeat-style server performance checks
Software Implemented by Apprix Oy
Security of data transmission
- All traffic through the web interface is encrypted (https, SHA-256).
- Encryption is also used in all other data transmissions to servers.
Data backup and recovery
- All program code is stored in version control, from where it can be restored to the latest or earlier version.
- An automatic backup of the database and application server is taken once a day,
- Storage of 7 days.
- In addition, one monthly backup is retained.
- Copies of server disks synchronized by the IAAS, from which it is possible to quickly start a new identical server, for example in the event of a hardware failure.
- Easy-to-implement manual backup for special situations.
- Data recovery is tested regularly on a quarterly basis.
Service portability
- If agreed, the service can be installed (databases and software) on a new compatible server
Location of service information incl. personal data and transfer restrictions
- The service and its information incl. personal data with confirmations are located in Hetzner Ag’s computer room in Finland.
- The GDPR Directive has been taken into account.
- Data will not be transferred outside the EU at any stage of the processing, maintenance or transfer of data in the service.
Deletion of data
- The information contained in the system will be deleted from the system server and backup servers when the service is terminated.
Security audit of services
- The security of the service is audited by an external professional body
Service Administrators, Users, Roles and Responsibilities
- The main administrator of the services is Apprix Oy’s person responsible for the service in question.
- The main administrator has the right to access and manage all sections and data of the service.
- Customer’s administrators have access to and control over all sections and information of the service created for them.
- Administrators can grant limited, role-based access to the system itself through the system’s own access control functions.
- All credentials are personal, shared credentials are not used.
- All systems have password-based access control for usernames.
Security – Related Agreements
Confidentiality (NDA)
- A mutual obligation of information confidentiality is made between Apprix Oy and the customer
- Apprix has made personal Non Disclosure Agreements with each person (their own employees and subcontractors) who handles customer data.
Data Processing Agreements (DPA)
- With regard to personal data, the European General Data Protection Regulation (GDPR) is taken into account.
- A DPA agreement has been made between Apprix Oy and Hetzner Online GmbH.
- When processing personal data, separate DPA agreements are made with customers.
Service Level Agreement (SLA)
- Service level agreement made between Apprix Oy and the customer defines the level of support (e.g. response times in various exceptional situations) and determines the SLA target levels.
Supported devices
Apprix systems are available with modern web browsers. The services support the following browsers and versions:
